Advanced Interceptor Configuration

Interceptors are responsible for the enforcement of permissions. There is one interceptor for each service type like ArcGIS Server or WMS.

You can change the default behavior inside the XML files in the folder [INSTALL_FOLDER]/webapp/wss/WEB-INF/classes/enforcementpoint-modules/. The files inside this folder use the following naming pattern:

  • [SERVICE_TYPE]-module.xml (services protected by policies)

  • [SERVICE_TYPE]-LIC-module.xml (services protected by licenses)

This chapter describes the settings for each type of interceptor. The list of properties is a selection of the most important properties and might be extended over time.

Common parameters

These parameters can be used in multiple interceptor configuration files.

Property Description

checkAuthorizationNameHeader

Name of the HTTP response header attribute that indicates if the service is secured.

usernameHeader

Name of the HTTP header attributes that contains the username.

rolenamesHeader

Name of the HTTP header attributes that contains the roles of the user.

WFS Interceptor

These parameters control the authorization of WFS requests. Files are:

  • WFS-module.xml

  • WFS-LIC-module.xml

Property Description

replaceUrlInGetFeatureAndDescribeFeatureResponse

Controls URL replacement inside XML of GetFeature responses and DescribeFeatureType responses. If set to true, all URLs pointing to the internal host providing the protected WFS instance are replaced by URLs pointing to the WSS of security.manager. Setting this property to true has a negative impact on performance and memory consumption.

Allowed values: true, false

allowStoredQueriesInGeneral

Offers the possibility to allow stored queries in general for WFS 2.0. If set to true, all stored queries are allowed, but only urn:ogc:def:query:OGC-WFS::GetFeatureById is authorized according to the defined permissions. If set to false, stored queries are blocked except urn:ogc:def:query:OGC-WFS::GetFeatureById

Allowed values: true, false

useCountDefaultAsMaxFeatures

If set to true, the limit for the maximum count of features per request from the WFS capabilities is enforced.

Allowed values: true, false

maxFeaturesToReturn

If useCountDefaultAsMaxFeatures is not set or the WFS capabilities have no maximum count, this value is used for the maximum feature count per request.

INSPIRE FeatureDownload Service Interceptor

To control the authorization of INSPIRE Feature Download Service requests the same parameters can be used as for the WFS Interceptor.

Files are:

  • INSPIRE-Feature-Download-Service-module.xml

  • INSPIRE-Feature-Download-Service-LIC-module.xml